anonymous identification in ad hoc groups
DESCRIPTION
Anonymous Identification in Ad Hoc Groups. Yevgeniy Dodis, Antonio Nicolosi , Victor Shoup {dodis, nicolosi ,shoup}@cs.nyu.edu New York University. Aggelos Kiayias [email protected] University of Connecticut. EuroCrypt 2004 Interlaken, Switzerland. May 6 th , 2004. - PowerPoint PPT PresentationTRANSCRIPT
Anonymous Identification in Ad Hoc Groups
EuroCrypt 2004Interlaken, SwitzerlandMay 6 th, 2004
Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup{dodis,nicolosi,shoup}@cs.nyu.edu
New York University
Aggelos [email protected]
University of Connecticut
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 2
Toy Example: Access-controlled Blog
• Alice is keeping a blog about her poems …• … and she only wants her friends to read them• But if one of them is doing all the reading, he
may not want Alice to notice …
Solution: Ad Hoc Anonymous Identification schemes (AHAIs)
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 3
Identification Schemes [FS86]
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 4
Anonymous Identification [CvH91,KP98]
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 5
Anonymous Identification (cont’d)• Alice cannot tell whom she is talking to
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 6
Ad Hoc Groups (a.k.a. Rings)
• Universe of users under a common PKI• Ad Hoc group formation: Do not need user’s
cooperation to include him into a group• Useful for leaking secrets [RST01]
– Ethical implications [Na02]?
• Proactive group creation: A group can be formed before all its members acted to join it
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 7
Our Contributions• New Cryptographic Functionality/Formal
Model • Generic Construction
– Accumulators with One-Way Domain• Efficient Instantiation (Based on Strong-RSA)• AHAIs: Variations
– Identity Escrow– Dynamic Joins
• Applications:– Constant-Size Ring Signatures– Group Signatures
via Fiat-Shamir
Heuristic
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 8
AHAI Syntax• Setup: system-wide initialization phase• Register: per-user initialization
– Each user picks a secret key/public key pair– Run only once, regardless of # groups user joins
• Make-GPK: combines a set of PKs into one GPK• Make-GSK: combines a user’s SK with a set of
PKs to yield a GSK• Anon-ID: protocol between a group member
(holding GSK) and a verifier (holding GPK)
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 9
AHAI Syntax revisited• Make-GPK (running time / to group size)
• Make-GSK (running time / to group size)
• Anon-ID (constant running time)…
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 10
Roadmap• New Cryptographic Functionality/Formal
Model • Generic Construction
– Accumulators with One-Way Domain• Efficient Instantiation (Based on Strong-RSA)• AHAIs: Variations
– Identity Escrow– Dynamic Joins
• Applications:– Constant-Size Ring Signatures– Group Signatures
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 11
Accumulators: Review• Intuition: Sets that don’t grow in size• Insertion into a set yields a larger set
• Insertion into an accumulator yields a new accumulator of the same size + a witness
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 12
Accumulators: Witnesses
– However, cannot prove non-membership
• Answer: the witness of a value “proves” its membership
• If accumulators don’t grow in size, how to tell what’s inside them?
?
• Collision-Resistance: Hard to “fake” witnesses for elements not in the accumulator
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 13
Accumulators with One-Way Domain
• Efficient instance based on the Strong-RSA Assumption [BdM93,BP97,CL02]
f
• Domain One-wayness: Elements of the accumulator belongs to the range of a one-way function f
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 14
A Generic Construction of AHAI
• Make-GPK:
• Register: f SKB PKB
… =: GPK
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 15
A Generic Construction of AHAI (cont’d)• Make-GSK: as Make-GPK, but also
keeps track of SK and of the witness for PK
GSKB :=
• Anon-ID:
GSKB :==: GPK
ZK-PoK{ , | ^ }f
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 16
Roadmap• New Cryptographic Functionality/Formal
Model • Generic Construction
– Accumulators with One-Way Domain• Efficient Instantiation (Based on Strong-RSA)• AHAIs: Variations
– Identity Escrow– Dynamic Joins
• Applications:– Constant-Size Ring Signatures– Group Signatures
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 17
AHAI Variations:• ID Escrow: To prevent abuse of anonymity,
can amend the scheme so that user identity can be recovered by a trusted party– Use efficient verifiable encryption/decryption
[CS03]– Soundness of the Anon-ID protocol also holds
against Identity Escrow Authority• Dynamic Joins
– If group changes, need to build a new GPK from scratch (time / to group size)
– But if changes are just user additions, can update GPK (and GSK) in time / to changes
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 18
Roadmap• New Cryptographic Functionality/Formal
Model • Generic Construction
– Accumulators with One-Way Domain• Efficient Instantiation (Based on Strong-RSA)• AHAIs: Variations
– Identity Escrow– Dynamic Joins
• Applications:– Constant-Size Ring Signatures– Group Signatures
via Fiat-Shamir
Heuristic
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 19
Application: Constant-Size Ring Sigs
• What’s the size of a ring signature?– Should only measure the piece of info that the
verifier needs beside description of the ring …– … both for theoretical and for practical reasons
• Since Anon-ID uses only O(1) communication, Anon-Sign yields signatures of constant size
• Anon-Sign also gives “off-line” ring signatures:– After linear-time pre-processing, can sign and
verify arbitrarily many messages in constant time
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 20
Application: Group Signatures• “Passive” Group Manager: just certifies GPK
f
=: GSKB
SKB := =: PKBJoin:
• Since GPK is provided by GM, producing and verifying group signatures takes O(1)
• Storage Efficiency: Member of k groups (run by different GMs) only needs O(1) secret storage + O(k) world-readable storage
=: {GPK}SKGM
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 21
Summary
• We discussed possible variations and applications (Ring Signatures with O(1) overhead)
• We proposed a novel cryptographic functionality (AHAI) enabling flexible, privacy-aware access control
• We designed an instance based on a new tool, efficiently constructible based on standard assumptions
May 6, 2004 Eurocrypt 2004—Antonio Nicolosi—NYU 22
Thank you!